Security

The trust architecture is the foundation. Every design decision in the sandbox starts from the assumption that external agents will interact with the growth layer, and that operators must never lose control.

Dual authentication. Session-based authentication for the operator dashboard. API key authentication for external agents. Two surfaces, two auth models.
Operator isolation. Every database query is scoped to the authenticated operatorId. No cross-tenant data access is possible at the query level.
Immutable event log. All lead_events are append-only. No updates, no deletions. The audit trail is the source of truth.
Scoped permissions. Operators see only their own data: leads, outcomes, contracts, events. Scope is enforced at the data layer, not the application layer.
Rate limiting. Per-operator rate limits protect the growth layer from abuse. Limits are enforced on both the dashboard and API surfaces.
Audit trail on all mutations. Every state change (lead creation, status transition, outcome verification) is logged with timestamp, actor, and context.